Re: How do you search an inputlookup for the resul...

DdanielbriemB · ‎09-10-2018

I'm a little stumped with what I am trying to achieve with the lookup of values from a CSV, which are based on the search results I get when performing a search.

CSV is defined as an inputlookup and contains field1,field2

When I search, I will have a value returned that is in the format of field1 in the CSV. And, I would like to display the corresponding field2 in my search results. For example: username,displayname.

I've looked at the inputlookup and lookup documentation, but am unsure on how to pass results or filter a subqueries results for the value.

richgalloway · ‎09-10-2018

Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2.
This means you will need a field called "field1" before calling lookup. The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2.
What if your events don't have a field called "field1"? The lookup command allows for that as in this example

index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname

---
If this reply helps you, Karma would be appreciated.

How do you search an inputlookup for the results of your query?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases